62% of cloud security incidents come from vulnerabilities your team already knew about. The problem isn't visibility. It's remediation. AI is changing that -- fast. This week, Rocky and John sit down with Snir Ben Shimol, CEO of Zest Security, to break down why cloud vulnerability remediation is still one of the biggest unsolved problems in security and how autonomous AI agents are finally making it solvable. We cover the 30-to-90-day remediation window, why only 1-2% of vulnerabilities are actually exploitable in your environment, and how Zest's platform shrinks a backlog of 100,000 vulnerabilities by 70% in the first week -- without a single human in the loop. If you're running a CSPM, drowning in vulnerability backlogs, or wondering what practical AI in security actually looks like (not just marketing slides), this episode is for you. Chapters 00:00 - Introduction and recording setup 02:00 - The 62%: cloud incidents from known, unfixed vulnerabilities 03:32 - Snir's background: Israeli intelligence, Cybereason CISO, acquisition by Palo Alto 03:41 - Setting the stage: CSPM, Wiz, Orca, Tenable, Qualys 04:23 - Visibility is solved. Remediation is the new bottleneck. 06:49 - The math doesn't work: 30-90 days to remediate vs. 24 hours to exploit 07:23 - SANS and CSA call for a VulnOps practice (end of 2024) 08:34 - What Zest's Cloud Risk Exposure Impact Report actually found 11:25 - Why remediation takes so long: CABs, testing cycles, approvals 13:05 - Is this a process problem, a tooling problem, or an architecture problem? 15:28 - Only 1-2% of vulnerabilities are actually exploitable in your environment 16:36 - Mythos, AI-powered zero-day discovery, and the changing threat landscape 19:08 - Will AI make the exploitable percentage grow? 21:53 - How Zest uses AI agents to attack the remediation gap 23:16 - Shrinking a 100,000-vulnerability backlog by 70% in one week 24:37 - Remediation simulation with digital twin technology 26:41 - 15 fixes to close 80-90% of your critical exposure 29:49 - Mitigating controls: what to do when you can't patch right now 35:24 - Real story: a supply chain attack (Aqua/Trivy) contained in under 6 hours 37:40 - Autonomous agents: what Zest announced at RSA 41:47 - The future: zero humans in the loop, self-healing production environments 45:43 - Measuring what matters: mean time to remediation, not mean time to ticket 46:02 - Where to find Zest Security and request a demoLinks and Resources Zest Security (request a demo): https://zestsecurity.io Snir Ben Shimol on LinkedIn: https://www.linkedin.com/in/snirsbs/ Zest Cloud Risk Exposure Impact Report (the source of the 62% stat): https://zestsecurity.io Verizon Data Breach Investigations Report 2025: https://www.verizon.com/business/resources/reports/dbir/ Mandiant M-Trends 2025 Report: https://cloud.google.com/security/resources/m-trends SANS/CSA VulnOps guidance: https://www.sans.org Subscribe for new episodes every month covering cloud security, AI, and the tools actually being used in the field.
